httpd-docs mailing list archives

* Note that new files created may not have the right permissions on them
* May need to correct this with a periodic cron'ed chown/chmod.
* Is there an argument to chmod to make new files have the right attributes?
What I think you would want is to change the default umask of the users
in question
'umask 022' is pretty typical, so probably want something less public.
Rich Bowen wrote:
>On Sat, 21 Sep 2002, Rich Bowen wrote:
>
>
>
>>On Sat, 21 Sep 2002, Rich Bowen wrote:
>>
>>
>>
>>>I'm going to write up some of our observations over the next few days as
>>>I have time, and was hoping to stir up a little interest so that when I
>>>have something, some folks will be willing to take a look at it.
>>>
>>>
>>OK, please forgive the format. This is a "perlpoint" presentation that I
>>put together for the class that I was teaching, and modified based on
>>our findings.
>>
>>One thing that I'd like to ask about is the deal with mod_mime. If I
>>have a web site consisting *only* of DefaultType documents (say, if I
>>set DefaultType to text/html), then why can't I run Apache without
>>mod_mime?
>>
>>When I tried (ie, ran Apache with only mod_dir and mod_log_config) and
>>went to http://server/ I would get a 404 page, and the error log would
>>say "file /usr/local/apache/htdocs/ not found"
>>
>>Anyways, here's our findings. Comments welcome. I'd like to incorporate
>>these into the security doc, which is a little elderly and somewhat
>>sparse in these particular areas.
>>
>>
>
>Crap. Forgot to attach it. Bah.
>
>
>=Apache security
>
>* Remove modules you're not using
>
>* Set file permissions right
>
>=Modules you're not using
>
>* What is the minimal list of modules you can get away with?
>
>* Why do you need them?
>
>=Module list
>
>* The minimal module list appears to be:
>
> mod_dir
> mod_mime
> mod_log_config (optional, but recommended)
>
>=mod_dir
>
>* Provides DirectoryIndex directive
>
>* People will want to look at http://servername/ and get something useful
>
>=mod_mime
>
>* Necessary if you are serving any files other than DefaultType ones
>
>* For some reason, even DefaultType won't work without mod_mime
>
>=mod_log_config
>
>* You could get away with not running it
>
>* Log files are a good thing if you are going for security
>
>=File permissions
>
>* Recommended file permissions in the docs are crap
>
>* Can get much tighter than that
>
>* Docs should list the I<minimum>, and let you go from there
>
>* Note that directories have to have x in order to cd into them
>
>* It is assumed that C<User> is set to C<www> and that C<Group> is set
to C<www>
>
>=ServerRoot
>
>* ServerRoot itself should be root.www
>
>* Should be read and execute for root and www
>
> cd /usr/local/apache
> chown root.www .
> chmod 550 .
>
>=bin
>
>* The C<bin> directory itself should be C<root.root> and 500
>
>* Files should be 100, except for the script files, which should be 500
>
>* C<suexec> is suid, so should be 4100
>
> chown root.root bin
> chmod 500 bin
> cd bin
> chmod 100 *
> chmod 500 apachectl dbmmanage apxs
> chmod 4100 suexec
>
>=conf
>
>* conf/ is only ever read by root
>
>* Directory should be root.root
>
>* Directory should be 500
>
>* and files should be 400
>
> chown -R root.root conf
> chmod 500 conf
> cd conf
> chmod 400 *
>
>* Note that if you have subdirectories, they should have similar permissions
>
>=cgi-bin and htdocs
>
>* This also applies to other "content" directories
>
>* Two scenarios we consider
>
>* 1) A single content provider
>
>* 2) 2 or more content providers
>
>* Here, "provider" means the person that is producing and maintaining the content
>
>* Other content directories, like C<icons>, should be treated similarly
>
>=Content with one provider
>
>* A single user creates and maintains content. Assume this user has a username C<content>
>
>* Directory (htdocs or cgi-bin, for example) should be owned by C<content.www>
>
>* The directory, and any subdirectories, should be 750
>
>* The files should all be 640
>
> chown -R content.www htdocs
> chmod 750 htdocs
> cd htdocs
> chmod 640 *
>
>* Repeat for subdirectories as needed
>
>=Content with more than one provider
>
>* More than one user provides content
>
>* Create a group called C<content> and put all these users in that group
>
>* Directory should be owned by C<root.content>
>
>* Directory, and any subdirectories, should be 574
>
>* Files should be 664
>
> chown -R root.content htdocs
> chmod 574 htdocs
> cd htdocs
> chmod 664 *
>
>* Repeat for subdirectories as needed
>
>=Multiple providers, cont'd
>
>* Note that new files created may not have the right permissions on them
>
>* May need to correct this with a periodic cron'ed chown/chmod.
>
>* Is there an argument to chmod to make new files have the right attributes?
>
>=include
>
>* Owned by root.root
>
>* Readable only by root
>
> chown -R root.root include
> chmod 500 include
> cd include
> chmod 400 *
>
>=libexec
>
>* Only needed if you have modules built as shared objects
>
>* If you do, then it should be readable only by root
>
> chown -R root.root libexec
> chmod 500 libexec
> cd libexec
> chmod 400 *
>
>=logs
>
>* Logs directory has some caveats
>
>* Standard log files are written as root (C<access_log> and C<error_log>)
>
>* Some other modules log as C<www.root>
>
>* So, here's the recommendation:
>
> chown root.www logs
> chmod 770 logs
>
>* Log files are created at startup, so there's no need to modify permissions inside the
directory, as permissions will change next time you restart.
>
>* Can modify C<mod_log_config.c> to create file without C<group> and C<other>
readability if desired.
>
> - static mode_t xfer_mode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
> + static mode_t xfer_mode = (S_IRUSR | S_IWUSR);
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org